You can either use Object policy or AWS Identity and Access Management (IAM) Policies: You can create an IAM policy that restricts the file types for uploading. Configure the policy to the IAM user or group that need restricted access. i.e this allows only PDF files
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSpecificFileTypes", "Effect": "Deny", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::your-bucket-name/*", "Condition": { "StringNotEquals": { "s3:x-amz-meta-file-type": [ "application/pdf" ] } } } ] }
Try out this and let me us know
What if an object name is not <name>.extension
but just name
e.g. example
? Is this policy just useless then? If yes, how to make this policy "stronger"?
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
I agree with Moti, and I would like a response from AWS on his question. This article comes up as number 1 on a google search for "prevent s3 unrestricted file upload", and it's penned by an AWS employee.
But filtering on filename is not best practice security; it needs to be able to filter on the file's content to be secure. Our pen tester raised this with us and they will not accept this as a solution for restraining unrestricted file upload, as it's trivial to upload an .exe and name it .jpg.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
To address the comments made by Moti & Scott Davey above please see this blog post: Amazon GuardDuty Malware Protection
Implementing a bucket policy to block .exe file uploads can be a useful security measure, even though it may not be a foolproof solution. A malicious actor could potentially bypass the policy by renaming the .exe file to a different extension, such as .jpg, or by removing the extension altogether. However, this approach can still help reduce the chances of a user accidentally double-clicking on an .exe file, as they would need to manually rename the file back to .exe in order to run it.
In addition to the bucket policy, you can further strengthen your security by leveraging Amazon GuardDuty's Malware Protection feature. This service can help detect and protect against malware threats, providing an additional layer of security.
It's important to note that there is no single "one-size-fits-all" security solution. The more security layers you can implement, the better. By combining multiple protective measures, such as the bucket policy and Amazon GuardDuty, you can enhance the overall security of your S3 environment and reduce the risk of unauthorized or accidental access to potentially malicious files.
The statement that the user would have to manually rename the file extension is not accurate in all cases. Since there is no way to limit the content, and that is not checked when uploaded. Additionally, it seems that AWS takes the supplied content type over the file extension. We tested putting a bucket policy in place as described here, which did not allow certain extensions including .html. However, when uploading, the file extension was .txt but the content-type header was changed to text/html. This was accepted. In s3, the file showed as filename.txt. However, when downloaded from s3, the file name was renamed filename.html , therefore completely bypassing the bucket policy. Is there any fix for this??
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- Accepted Answerasked a year ago
- asked 10 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago